14 DAY TRIAL // Following an investigation into the compromise of a SendGrid account belonging to Coinbase, the email service found that the attack ran deeper, and it deployed a password reset procedure, requesting 600 customers to regenerate their DKIM authentication keys.
The compromised Coinbase email address was used to deliver fraudulent messages to the customers of the digital currency exchange service, in an attempt to trick them into depositing bitcoins into wallets controlled by the cybercriminals.
Usernames, emails and passwords were accessed
SendGrid learned earlier this month that it fell victim to a cyberattack that led to hijacking the account of one of its employees and using it to access multiple internal systems three times in February and March 2015.
The company serves more than 180,000 customers, enabling them to deliver mass emails to customers. Over 14 billion messages are sent each month via SendGrid from popular services such as FourSquare, Spotify, Uber.
The servers accessed by the attacker contained usernames, email addresses and passwords for SendGrid employees and customers. David Campbell, the company’s chief security officer says in a blog post that the passwords were salted and iteratively hashed, a security measure that should prevent cybercriminals from reading the strings in plain text.
The investigation also revealed that the unauthorized third parties were able to access customers’ email lists and contacts. “We have not found any forensic evidence that customer lists or customer contact information was stolen,” Campbell says.
However, to prevent any information leaks, SendGrid took the precautionary measure of resetting all passwords. Payment card information remains unaffected because this data is not stored on the email service’s systems.
Better security is on its way
The 600 customers relying on DKIM to validate their messages should generate new keys from SendGrid’s interface, as well as update the DNS records to include the change.
DomainKeys Identified Mail (DKIM) is a system that validates email messages in transit via cryptographic signatures, in order to prevent the nefarious use of the legitimate address.
The mass email service also advises its clients to turn on two-factor authentication (2FA) and to create strong, unique passwords, despite them being stored in an encrypted form on the servers.
Additionally, as part of SendGrid’s commitment to security, API keys will be released to be used by administrators for authentication instead of the username/password pair. Different keys can be generated for applications and servers, thus making the authentication and revocation process more flexible and secure.
On the same note, Campbell says that the “engineering team is also expediting the release of IP whitelisting, which will permit customers to authorize specific IP ranges to interact with their SendGrid account’s control panel, further reducing security exposure.”